64 replies to this topic

[Smarty]

I still haven't really heard any convincing arguments to keep it "inside" Game Maker directly. I think what might be safer is move it to extensions, then whenever a game/application uses extensions warn the user (1st time in) that these could contain unsafe code, if the user agrees, then never ask again.

But what argument can anyone bring up to keep it in, if you'd offer registry access through an extension as an alternative? I can see only two consequences: you'd have to bring in an extension, which isn't that big of a deal; and you'll have to be a Pro user instead of a Lite one.

If your next topic is going to be about removing execute_shell and execute_program, I don't think you need to bother asking us - just throw them out and put them in one extension with the registry access. They're on the same risk level.

[True Valhalla]

Removal of the registry functions is a loss of GM's usefulness -- it is counterproductive, to force users to rely on a DLL if they want to alter the registry. The security flaws would still be there, whether registry functionality is provided by GM or an application extension. It's embarrassing enough having to use a DLL for online functionality and another for decent INI file management, yet alone something as seemingly simple as a registry entry.

Personally, I find the registry functions very valuable. Not only are they the strongest client side method to permanently ban a computer from accessing my online game, amongst other uses ranging from monitoring multi-account creation to simply storing data away form the users view. I use HKEY_CLASSES_ROOT and several levels of the default key, in particular.

My suggestion is to patch any major security issues, but maintain the core functionality that the registry functions provide. Any major sections of the registry that would be obviously dangerous to alter could be blacklisted.

Simply, the security flaws will exist no matter what. If the functions are removed completely, registry users will be left isolated and have to resort to a DLL -- certainly not my idea of an upgraded product.

As opposed to paying for reduced functionality, I'd happily pay for patched functionality.

[mcmonkey]

I'd gladly pay to not have random noobs deciding they know what belongs in MY registry. If the registry must be edited, I would prefer knowing that it's an expert GM user that's doing it.

[Rusky]

If your next topic is going to be about removing execute_shell and execute_program, I don't think you need to bother asking us - just throw them out and put them in one extension with the registry access. They're on the same risk level.

They're also both on (almost) the same compatibility level. It would be nice to separate platform-specific functionality into extensions, contrary to what some people are saying.

[True Valhalla]

I'd gladly pay to not have random noobs deciding they know what belongs in MY registry.

Like your registry is some holy place that must not be touched, right? If you're so worried, then don't play games by authors you don't trust.

If the registry must be edited, I would prefer knowing that it's an expert GM user that's doing it.

Any idiot can use a DLL. In fact, it will probably be easier to alter the registry using a DLL than it is in GM!

[Chronic]

I would remove registry all together and add/improve other common ways to store data in a file, such as ini and xml. But with that said, i'm literate enough with computers to know that removing registry functions won't stop me from altering it if i wanted to.

[~Dannyboy~]

If your next topic is going to be about removing execute_shell and execute_program, I don't think you need to bother asking us - just throw them out and put them in one extension with the registry access. They're on the same risk level.

This. In fact those functions can be used to modify the registry, simply create a VBScript using the text file functions and then run it using execute_shell.

[mcmonkey]

I'd gladly pay to not have random noobs deciding they know what belongs in MY registry.

Like your registry is some holy place that must not be touched, right? If you're so worried, then don't play games by authors you don't trust.

It's not holy, but if it gets damaged too bad it'll be expensive to repair.

If the registry must be edited, I would prefer knowing that it's an expert GM user that's doing it.

Any idiot can use a DLL. In fact, it will probably be easier to alter the registry using a DLL than it is in GM!

If said idiot has $25 and knows how to transfer it online. And still takes some learning for said idiot.. not to mention, if it's a DLL, it'll be in the folder right next to the .exe. Which means I can see it's there and decide not to play..

[True Valhalla]

I'd gladly pay to not have random noobs deciding they know what belongs in MY registry.

Like your registry is some holy place that must not be touched, right? If you're so worried, then don't play games by authors you don't trust.

It's not holy, but if it gets damaged too bad it'll be expensive to repair.

Lol'd.

If the registry must be edited, I would prefer knowing that it's an expert GM user that's doing it.

Any idiot can use a DLL. In fact, it will probably be easier to alter the registry using a DLL than it is in GM!

If said idiot has $25 and knows how to transfer it online. And still takes some learning for said idiot.. not to mention, if it's a DLL, it'll be in the folder right next to the .exe. Which means I can see it's there and decide not to play..

The ability to buy Game Maker and use a DLL does not qualify someone as an "expert GM user"! For your information, a DLL can be renamed and included to only be extracted on game start up.

*sigh*

The point is, removing registry functionality won't make you any safer whatsoever.

[Dangerous_Dave]

The ability to buy Game Maker and use a DLL does not qualify someone as an "expert GM user"! For your information, a DLL can be renamed and included to only be extracted on game start up.

*sigh*

The point is, removing registry functionality won't make you any safer whatsoever.

Except for those of us who run games in secure mode, thereby stopping DLLs from being allowed .

[True Valhalla]

The ability to buy Game Maker and use a DLL does not qualify someone as an "expert GM user"! For your information, a DLL can be renamed and included to only be extracted on game start up.

*sigh*

The point is, removing registry functionality won't make you any safer whatsoever.

Except for those of us who run games in secure mode, thereby stopping DLLs from being allowed .

Heh, though GM's own registry functions are no risk then either

[Recreate]

The ability to buy Game Maker and use a DLL does not qualify someone as an "expert GM user"! For your information, a DLL can be renamed and included to only be extracted on game start up.

*sigh*

The point is, removing registry functionality won't make you any safer whatsoever.

Except for those of us who run games in secure mode, thereby stopping DLLs from being allowed .

Which is essentially nobody.

[Dangerous_Dave]

Which is essentially nobody.

You know the risks, it's your choice.

[Revel]

Personally, I don't like when things mess with my registry, but hey, thats how Windows works. I think the registry functionality should stay.

It doesn't really pose more of a security threat then other things. If it was removed, people could simply use DLLs (as others have mentioned here). Also, GM has been around for 10+ years and I haven't found a single malicious game that has messed up my registry, so I think it's safe to say that messing up the registry isn't exactly what users are trying to do.


Also, I don't use UAC, but doesn't it warn you if something writes to registry that could possibly mess up Windows? If someone can confirm this that would be great.

[Chronic]

I know many ways to alter the registry with out the use of execute_* functions, a DLL, and it will work regardless of safe mode.

However, just because it can be altered using other ways does not make the registry system functions any less of a security threat.

[Tan]

I think the use of registry must be limited to saving games and storing the values, because then it would ot be easy for anyone to open up the .sav file and make needed changes.

-Tan

[Dangerous_Dave]

It would be easy for them to open up the registry and make the changes. Just encrypt your save files.

[ragarnak]

Except for those of us who run games in secure mode, thereby stopping DLLs from being allowed .

That only works when test-starting from within the GM editor itself, not on executables.

Which is essentially nobody.

Than my name is "essentially nobody". I've set my system to switch on "Secure mode" every time I start my computer. Yes, by overwriting a certain entry in the Registry.

[sabriath]

Considering that there is 'ini' ability, I see no use in the registry (unless you are making an installer...but that doesn't deal with GM directly). There's a much higher chance of children screwing something up having it (or filling it up with useless crap) rather than actually having anything usable come from it.

My vote...deprecate it, move on. If someone REALLY needs use of it, I have some cheese and crackers for them.